Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support to regen realm private keys on specified intervals #89

Open
ypid opened this issue Sep 19, 2016 · 3 comments
Open

Support to regen realm private keys on specified intervals #89

ypid opened this issue Sep 19, 2016 · 3 comments

Comments

@ypid
Copy link
Member

ypid commented Sep 19, 2016
edited
Loading

Currently, the realm key used for all certificates of this realm (internal, external, ACME) is created on realm creation. In the case of ACME and LE, the certificate is renewed at least all 3 months. Other certs are rotated less frequently. It should be possible to specify the wanted private key renewal period which can happen at cert renewal.

Ref: https://letsencrypt.org/2015/11/09/why-90-days.html
@drybjed
Copy link
Member

drybjed commented Sep 19, 2016

I see an issue with this - at the moment the hosts themselves execute the pki-realm script periodically to perform operations like renewal of ACME certificates. The script detects if the currently used certificate is valid, and if not it switches to the "next best" certificate in order: external, acme, internal, selfsigned. If we add an option to regenerate the private keys, the internal certificates will be broken since the internal CA located on the Ansble Controller would not have signed the certificate, resulting in the key/cert mismatch. I suppose that the key regeneration could be tied to the Ansible runs themselves and done periodically, but there's no guarantee that the run is performed periodically at all. Although that shouldn't be an issue in this case.

@ypid
Copy link
Member Author

ypid commented Sep 19, 2016

I suppose that the key regeneration could be tied to the Ansible runs themselves and done periodically, but there's no guarantee that the run is performed periodically at all.

Right. I would not really depend on that.

Maybe older private keys could be saved in the CA directory which still has a valid cert using this key.

@ypid
Copy link
Member Author

ypid commented Nov 17, 2016

For the common deployments using DebOps, e. g. VPSes or so using LE, key regeneration should be the default. I suspect that internal CAs or external CAs are used very infrequently for such deployments. For such cases we could recommend in the docs to disable pki_internal which could then switch on key regeneration for each cert if no external certs are provided (or maybe even then as suggested above).

Ref: https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#12-protect-private-keys

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@drybjed @ypid